This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.

CTR-1483

As part of the SSO process, the CloudBees Jenkins Operations Center (CJOC) redirects the user to the Master URL to finish the SSO process. The Master was vulnerable to Host Header injection, leading to an Open Redirect vulnerability which may allow an attacker to steal a victim's SSO session.

This issue is due to an incomplete fix of CTR-1098, announced in 2020-03-09 and wrongly called "CSRF in Authentication Mechanism in SSO". The vulnerability was not CSRF, but Open Redirect.

Masters now only support SSO requests from Hosts (or X-Forwarded-Host) matching the configured Jenkins Root URL. Any attempt to use a different URL will redirect to the configured Jenkins Root URL.

This can be disabled in the Operations Center by setting the property `com.cloudbees.opscenter.server.sso.SSOConfiguration.masterRootURLStrictCheckingDisabled=true`, but will make the product insecure, so it should only be used as a temporary workaround.

• CTR-1483: High

• CloudBees Traditional Platforms should be upgraded 2.222.4.3

• CloudBees Cloud Platforms should be upgraded 2.222.4.3

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.222.4.3

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.222.4.3

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.31.0.2 rev3